Share documents safely

SAN FRANCISCO (10/03/2003) - Information security has traditionally been handled at the network perimeter, its focus on defending the edge of the organization with firewalls and hardened servers. Cyber-Ark Software Ltd.'s Inter-Business Vault takes an alternative approach, storing sensitive data in digital vaults that -- by limiting data access channels and encrypting data on disk and in transit -- provide extraordinary security.

A bank, for example, could use Inter-Business Vault to share lockbox, automated clearing house, and account reconcilement processing records with its commercial customers. These processes have traditionally been done using homegrown applications that integrate FTP with encryption, couriers, faxes, VPNs, and leased lines. Not only are such solutions difficult to deploy and hard to automate, but they're also difficult to analyze and, hence, to trust.

Inter-Business Vault takes a multilayered approach to securing data. The Vault runs on dedicated hardware that is locked down to eliminate security holes. All data access happens through a single channel; data traffic on this channel is inspected by a built-in firewall, allowing only the Inter-Business Vault protocols to pass. Strong authentication is built in, and every resource in the vault is subject to an access control policy.

Connections to the Vault are encrypted at the session level, and every file in the vault is encrypted as well, including during backup. With code and data isolated inside, the Vault can be set to inspect incoming files and strip away executables to protect against viruses, too. Finally, just as in a real vault, files can be stored so that two-key authentication is required for access, time delays can be set between authentication and access, and access can be limited to certain times of day.

For users on the company LAN, the primary means of manipulating files on the Vault is a GUI client that runs on Windows. Depending on his or her authorization, a user can create and delete safes within a vault and store and retrieve files. Visual cues in the interface indicate when files have been accessed. Exclamation marks on vaults indicate that someone other than the owner viewed, updated, or stored information in the safe. Each file carries visual cues as well. A blue mark indicates someone accessed the file, red indicates that someone updated the file, and green indicates a new file. Users can view the access history for each file.

Business partners outside the firewall can share files via a Web interface provided by an HTTP gateway that runs inside Microsoft IIS over SSL. This gateway makes it easy to extend Inter-Business Vault access, as the Web interface provides the same functionality as the Windows GUI.

Other interfaces to the Vault include a CIFS (Common Internet File System) interface that allows safes to be mounted as folders on any Windows, Apple, or Linux machine; an FTP gateway; and an SDK that allows programming connections to the Vault using C/C++ or ActiveX. A command line-based tool can be used in batch processes to automate file distribution or maintenance.

Strategy First, Infrastructure Second

With so many ways to access and modify files in the Vault, and the ability to delegate authorizations, Inter-Business Vault makes file sharing much easier. In fact, the hardest part of using Inter-Business Vault isn't deploying and operating the product -- it's creating an identity management strategy that correctly accounts for documents and other resources in need of protection, for the people who will access them, and for the authorizations that each person has with respect to the resources.

Installing the Vault will only make data more secure if the right data is kept in the vault and users are permitted access only to the data they need. If an enterprise understands how it will manage resources and users, and puts useful policies in place, Inter-Business Vault can be a critical piece of infrastructure for securely sharing files with employees, customers, and partners.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.